184 lines
4.8 KiB
Markdown
184 lines
4.8 KiB
Markdown
|
---
|
||
|
title: "Integration with cert-manager"
|
||
|
description: "Learn how to use cert-manager certificates with Traefik Proxy for your routers. Read the technical documentation."
|
||
|
---
|
||
|
|
||
|
# cert-manager
|
||
|
|
||
|
Provision TLS Certificate for Traefik Proxy with cert-manager on Kubernetes
|
||
|
{: .subtitle }
|
||
|
|
||
|
## Pre-requisites
|
||
|
|
||
|
To obtain certificates from cert-manager that can be used in Traefik Proxy, you will need to:
|
||
|
|
||
|
1. Have cert-manager properly configured
|
||
|
2. Have Traefik Proxy configured
|
||
|
|
||
|
The certificates can then be used in an Ingress / IngressRoute / HTTPRoute.
|
||
|
|
||
|
## Example with ACME and HTTP challenge
|
||
|
|
||
|
!!! example "ACME issuer for HTTP challenge"
|
||
|
|
||
|
```yaml tab="Issuer"
|
||
|
apiVersion: cert-manager.io/v1
|
||
|
kind: Issuer
|
||
|
metadata:
|
||
|
name: acme
|
||
|
|
||
|
spec:
|
||
|
acme:
|
||
|
# Production server is on https://acme-v02.api.letsencrypt.org/directory
|
||
|
# Use staging by default.
|
||
|
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||
|
privateKeySecretRef:
|
||
|
name: acme
|
||
|
solvers:
|
||
|
- http01:
|
||
|
ingress:
|
||
|
ingressClassName: traefik
|
||
|
```
|
||
|
|
||
|
```yaml tab="Certificate"
|
||
|
apiVersion: cert-manager.io/v1
|
||
|
kind: Certificate
|
||
|
metadata:
|
||
|
name: whoami
|
||
|
namespace: traefik
|
||
|
spec:
|
||
|
secretName: domain-tls # <=== Name of secret where the generated certificate will be stored.
|
||
|
dnsNames:
|
||
|
- "domain.example.com"
|
||
|
issuerRef:
|
||
|
name: acme
|
||
|
kind: Issuer
|
||
|
```
|
||
|
|
||
|
Let's see now how to use it with the various Kubernetes providers of Traefik Proxy.
|
||
|
The enabled providers can be seen on the [dashboard](../../operations/dashboard/) of Traefik Proxy and also in the INFO logs when Traefik Proxy starts.
|
||
|
|
||
|
### With an Ingress
|
||
|
|
||
|
To use this certificate with an Ingress, the [Kubernetes Ingress](../../providers/kubernetes-ingress/) provider has to be enabled.
|
||
|
|
||
|
!!! info Traefik Helm Chart
|
||
|
|
||
|
This provider is enabled by default in the Traefik Helm Chart.
|
||
|
|
||
|
!!! example "Route with this Certificate"
|
||
|
|
||
|
```yaml tab="Ingress"
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: Ingress
|
||
|
metadata:
|
||
|
name: domain
|
||
|
annotations:
|
||
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||
|
|
||
|
spec:
|
||
|
rules:
|
||
|
- host: domain.example.com
|
||
|
http:
|
||
|
paths:
|
||
|
- path: /
|
||
|
pathType: Exact
|
||
|
backend:
|
||
|
service:
|
||
|
name: domain-service
|
||
|
port:
|
||
|
number: 80
|
||
|
tls:
|
||
|
- secretName: domain-tls # <=== Use the name defined in Certificate resource.
|
||
|
```
|
||
|
|
||
|
### With an IngressRoute
|
||
|
|
||
|
To use this certificate with an IngressRoute, the [Kubernetes CRD](../../providers/kubernetes-crd) provider has to be enabled.
|
||
|
|
||
|
!!! info Traefik Helm Chart
|
||
|
|
||
|
This provider is enabled by default in the Traefik Helm Chart.
|
||
|
|
||
|
!!! example "Route with this Certificate"
|
||
|
|
||
|
```yaml tab="IngressRoute"
|
||
|
apiVersion: traefik.io/v1alpha1
|
||
|
kind: IngressRoute
|
||
|
metadata:
|
||
|
name: domain
|
||
|
|
||
|
spec:
|
||
|
entryPoints:
|
||
|
- websecure
|
||
|
|
||
|
routes:
|
||
|
- match: Host(`domain.example.com`)
|
||
|
kind: Rule
|
||
|
services:
|
||
|
- name: domain-service
|
||
|
port: 80
|
||
|
tls:
|
||
|
secretName: domain-tls # <=== Use the name defined in Certificate resource.
|
||
|
```
|
||
|
|
||
|
### With an HTTPRoute
|
||
|
|
||
|
To use this certificate with an HTTPRoute, the [Kubernetes Gateway](../../routing/providers/kubernetes-gateway) provider has to be enabled.
|
||
|
|
||
|
!!! info Traefik Helm Chart
|
||
|
|
||
|
This provider is disabled by default in the Traefik Helm Chart.
|
||
|
|
||
|
!!! example "Route with this Certificate"
|
||
|
|
||
|
```yaml tab="HTTPRoute"
|
||
|
---
|
||
|
apiVersion: gateway.networking.k8s.io/v1
|
||
|
kind: Gateway
|
||
|
metadata:
|
||
|
name: domain-gateway
|
||
|
spec:
|
||
|
gatewayClassName: traefik
|
||
|
listeners:
|
||
|
- name: websecure
|
||
|
port: 8443
|
||
|
protocol: HTTPS
|
||
|
hostname: domain.example.com
|
||
|
tls:
|
||
|
certificateRefs:
|
||
|
- name: domain-tls # <==== Use the name defined in Certificate resource.
|
||
|
---
|
||
|
apiVersion: gateway.networking.k8s.io/v1
|
||
|
kind: HTTPRoute
|
||
|
metadata:
|
||
|
name: domain
|
||
|
spec:
|
||
|
parentRefs:
|
||
|
- name: domain-gateway
|
||
|
hostnames:
|
||
|
- domain.example.com
|
||
|
rules:
|
||
|
- matches:
|
||
|
- path:
|
||
|
type: Exact
|
||
|
value: /
|
||
|
|
||
|
backendRefs:
|
||
|
- name: domain-service
|
||
|
port: 80
|
||
|
weight: 1
|
||
|
```
|
||
|
|
||
|
## Troubleshooting
|
||
|
|
||
|
There are multiple event sources available to investigate when using cert-manager:
|
||
|
|
||
|
1. Kubernetes events in `Certificate` and `CertificateRequest` resources
|
||
|
2. cert-manager logs
|
||
|
3. Dashboard and/or (debug) logs from Traefik Proxy
|
||
|
|
||
|
cert-manager documentation provides a [detailed guide](https://cert-manager.io/docs/troubleshooting/) on how to troubleshoot a certificate request.
|
||
|
|
||
|
{!traefik-for-business-applications.md!}
|